If You’re Going to Get SASE Then We Can’t Be Trusted

Don’t take it personal. I trust you with everything but the network, internet, computer, phone, web browser, or anything you can put in a USB jack except epoxy (USB lava lamps excepted), or anything else required to do your job. Those of you in the know are asking why it took 40 words to say zero trust. Simple, it was all a setup for the lava lamps.

SASE wasn’t a typo; I didn’t mean sassy. SASE stands for secure access service edge. SASE is a security model designed to address cloud security. The zero trust model is just one component of SASE. As I explain SASE I will devote a blog to each of the concepts that make up a SASE model. In my most recent blog at SecureIQLab I talk about zero trust. As I point out in the blog, zero trust means “trust but verify,”

Don’t trust that the blog actually exists, verify it for yourself!

Randy Abrams

The SPAMfighter Security Threat

While looking for a company or researcher who might want my spam samples to help train their AI systems, I stumbled across a product called SPAMfighter. I’m going to assume that the people behind SPAMfighter are not evil, just dangerously unqualified to touch anything related to security.

So, what’s wrong with SPAMfighter? SPAMfighter uses crowdsourcing and an untrained AI system to identify spam. Once a user flags an email as spam, all of the customers are protected... or are they? I mean, what could possibly go wrong? Here’s what.

If an email is incorrectly flagged as spam by a customer, there’s no undo. There is no mechanism to report false positives. The email address is forever blocked and the account owner doesn’t know that their email is being flagged as spam. Note, blocked is SPAMfighter’s terminology for sending email to the spam folder.

Let me describe a scenario. You and I have a falling out. I have email from you from the good old days when you still bought me beer. I dig up one of your emails, right-click and choose “Block.” Tada! Your email is block from all of SPAMfighter’s customers. The odds are that I’m the only person you know who uses SPAMfighter until after this blog is posted, so it’s not a big deal for you. But it can be seriously harmful to their userbase. But that’s not one of the more interesting scenarios.

Let’s say I’m mad at my bank… yeah, you see where this is going. Don’t worry, evidently somebody else was mad at my bank… SPAMFighter blocked my bank’s email. Here’s just one of the problems that it creates. I, and many other people get an email if there is an online credit card transaction. Obviously, time is of the essence if the charge was fraudulent, but it is likely to be quite awhile before most people would check their spam folder immediately unless they are expecting an email that hasn’t shown up.  

It does get better. Let’s say I’m mad at a massage spa chain (I won’t say which one). I get an email from them and I select block to get them classified as spam. Since the spas are franchised, they each have their own unique domain name. Whew, at least the rest of the franchises won’t become acceptable collateral damage. Well, you’d think not, but as it happens the spa chains emails don’t come from the franchises or from headquarters. Here’s what would happen if I flagged their email. Like 12,000+ other businesses in over 50 countries, the spa uses an industry specific service from Zenoti. The promotional emails are sent from a zenoti.com email address. Yep, one or two clicks, and 12,000+ other businesses are negatively impacted or potentially in harm’s way. This is truly as simple as attack tools get.

Shall we talk about the emails from .gov domains? Yep, .gov, bankofamerica.com, aarp.org, xfinity.com, linkedin.com, twitter.com, newyorker.com, nytimes.com, offcedepot.com, costco.com, homedepot.com, wordpress.com, gmail.com, amazon.com, uhc.com(healthcare), trinet.com(healthcare), virusbulletin.com, aavar.org, lastpass.com, eset.com, eccouncil.org, google.com, and some closed security lists that I am not at liberty to divulge. Note that google.com is not the same as gmail.com. Google sends very important security related emails from the google.com domain.

SPAMfighter claims to use AI in addition to their dangerously reckless crowd sourcing model. Some of the domains blocked were definitely from their “AI” implementation. False positives are very common when training AI systems and sometimes whitelisting is in order to compensate for dangerous system deficiencies. Unfortunately, SPAMfighter appears to have no intent to remediate the serious security flaws in their system. I have offered on multiple occasions to create a large whitelist for them. There has never been a reply to my emails.

Typically, I would not ask security companies to take action against a vendor for designing a product that the Oxford Dictionary uses as the definition of “gross incompetence,” but in this case the product can cause serious financial harm, create a threat to their customer’s health, and block security related information, but they have no interest in fixing their problems. This includes the inability to be able to have mis-detections remedied and a lack of commitment to remedy their dangerous system.

It should be noted that Twitter has suspended the SPAMfighter account.

It is due to these reasons, and the fact SPAMFighter, like Subseven, is a powerful attack tool that is far too easily abused to bring to harm to millions of users, I call upon the antimalware industry to detect SPAMfighter and SPAMfighter Pro as potentially dangerous or potentially unwanted applications.

Incidentally, if any of you, or someone you know wants my growing spam collection to improve anti-spam applications and research, just let me know. I will not publish comments concerning suggested contacts without explicit permission.

Randy Abrams
Opinions are my own, facts are facts.

If You’re Not Going To Take Privacy Seriously Then Why Should I?

I am reminded of an old joke. I’m old so those are the only jokes I know.

The head brew masters for Coors, Budweiser, and Guinness are at a conference. At the end of the day, they go to the bar. When the bartender asks what they’ll have, the Coors brew master says “I’ll have a Coors, made from Rocky Mountain spring water.” The Budweiser brew master says “I’ll have a Budweiser, the king of beers!” The Guinness brew master orders a Coke. The other two look at the Guinness brew master and ask why he isn’t having beer? He replies “If you’re not having beer then neither will I. There’s a man who takes his beer more seriously than most people take their privacy.

In my newest blog at SecureIQLab, I discuss the disconnect between many people’s actions and their sometimes irrational privacy concerns, such as fear of Covid tracking apps. Biometric privacy and security risks are real, but do you submit to biometric data capture when you have a choice not to? I end with a little guidance about what should go into a decision when choosing what privacy risk to accept and what to reject.

Essentially it comes down to choosing between cats and privacy. Cats are the only reason the Internet exists, yet once you go online to look at cat videos, especially on YouTube, kiss your privacy goodbye. Choose wisely.

Randy Abrams
Senior Security Analyst (that’s Señor Security Analyst to you)
SecureIQLab

Have You Noticed A Pattern To My Blogging?

Some of you may have noticed that I frequently go for long periods of time without blogging. That means I’m employed. When I’m not employed then I have time to blog here.

So now I’m blogging for my employer, SecureIQLab. If you don’t want to wait until I am unemployed again to read my blogs, here are three I’ve written recently.

From Supply Chain to Kill Chain: Biometric Security is a look at some of the ways biometric systems can be attacked. Supply chain attacks are the launchpad for many breaches. For biometric devices this can be problematic. But there’s more…

A couple of years ago I was tasked with writing an article about biometric privacy. 200 hours of research later I had tested every breathalyzer on the market. Well, not really since I just thought of that research. Maybe we can have a beer and breathalyzer club and do Zoom meetings with B&B (Beer and breathalyzers).

Ok, actually the most interesting thing I found was that in Illinois people can sue their own employer into bankruptcy for violations of the Illinois Biometric Information Privacy Act. It’s not just for employers, Facebook settled for $650 million for BIPA violations. Anyway, privacy legislation is getting stricter and the number of states that have such laws or will have them is increasing.

Pretty much anyone considering using biometrics for commercial purposes needs to stay on top of things to avoid costly mistakes. The Illinois BIPA is not at all hard to comply with, and other such laws in other states are easy to comply with, but you have to know what they are and what is required for compliance. It’s good for consumers to know what protections they have as well. Come on over and take a look at some Biometric Legal Implications. This isn’t a law school class and I’m not a lawyer, so there are no parties of any part, no binding arbitration agreements, and it doesn’t cost $500/hour to read it either. 

Next up!

Yes indeed, The Supply Chain Looks Like a Bunny Rabbit With a Drum. Well, what can I say? The Rabbit of Caerbannog has nothing on the Energizer Bunny, Sony, the Russians, or stupid ideas like a Wi-Fi water kettle and networked fish aquarium thermometers in casinos! Seriously, one stupid unsecured refrigerator can spoil your company’s security. Any questions?

Finally

GoDaddy gave a world-class lesson on how to f*ck user security awareness training, encourage insider attacks, and put your customer at increased risk. I explain in Inciting Supply Chain Attacks GoDaddy Style. 

I hope you’ll pop over and take a look!

Cheers,

Randy Abrams
Senior Security Analyst and Rabbit Whisperer
SecureIQLab

 

COVID-19 Has Been Confirmed To Cause AUC (Acutely Uninformed Comparisons)

You’ve all heard it: There are more deaths due to car accidents than to COVID-19, but we don’t shut down the economy due to lethal car accidents. Or, we didn’t shut down the economy due to SARS, MERS, or Justin Bieber. And people nod their heads as if these are rational comparisons, all the while oblivious to the concepts of research and analytical thinking.

Let’s start with the SARS comparison. I start with SARS because I once had a moped and the brakes worked just fine. Moped brakes are also far less expensive than the brakes used on 18-wheelers. If moped brakes are good enough for a moped, then no semi should need more than moped brakes to stop it. Now that we have established that the same brakes which are appropriate for mopeds are undeniably suitable for 18-wheelers, we can demonstrate that the response to COVID-19 should be identical to the response to SARS.

In 2003, there were approximately 8,100 confirmed cases of SARS and about 750 deaths—worldwide. We’re talking about a whole year of cases and the entire world. In the first 3 months of 2020, there were more than 55,000 confirmed cases of COVID-19 . . . in New York alone. Not in the world, not in the US, not even in the north east. 55,000 cases in New York alone. I know, I know, those numbers are so close; I’m clearly splitting hairs. Obviously, the response to COVID should mirror the response to SARS. (Where are those damned moped brakes when you need them?) But comparing New York to the world is like comparing apples to moped brakes. Let’s go worldwide. In less than four months, we’re talking about 2.8 million confirmed COVID-19 cases worldwide—roughly equivalent to 8,100, right? The 195,000 confirmed COVID-19-related deaths worldwide is essentially equal to 750 deaths, and therefore, the response should be roughly equivalent. Give me a minute, I need to go hoard moped brakes.

I’m back. Where did I leave off? Oh yeah, MERS, which is a disease that is known to have infected 2 people in the United States. Both cases were in 2014. Neither victim spread the disease to their families or to healthcare workers. Since 2012, there have been 2,494 confirmed MERS cases (worldwide), 857 deaths attributed to MERS (worldwide), and 27 countries known to have had MERS cases. So far, over 200 countries have reported cases of COVID-19. Yeah, you guessed it . . . that’s also roughly equivalent to 27.

Let’s pick up the pace a bit. Just like the COVID-19 infection rate, cars go really fast. OK, the Datsun B210 didn’t, but let’s ignore that one.

The response to COVID-19 is aimed at flattening the curve and putting it on a declining trajectory.  How have we been doing when it comes to the car conundrum?

Since about 1973, the number of deaths per year in the US due to traffic accidents has trended downward, while the population and billions of vehicle miles traveled (VMT) per year has grown rapidly, the number of deaths per million people and per tens of billions VMT has shown an incredible decline. Around 1973, there were approximately 260 traffic fatalities per million people. Since 2005, the number of traffic fatalities per million people has not exceeded 150, and since 2010 it has not exceeded 120 per million people.

Still, the body count is significant and must not be dismissed. Body count is the gross number of deaths, not the net number which would be the number of deaths due to car accidents minus the number of lives saved due to the use of cars to transport people to hospitals, doctor’s offices, drug stores, etc. Now how about the net number of deaths directly attributable to COVID-19 minus the sum of the lives saved by COVID-19? Yeah, the net is essentially equal to the gross. If you are going to gauge the appropriateness of response based upon deaths, then the net is the relevant number as the basis of comparison.

Now let’s look at cars. I don’t have a source for numbers, nor do I know where to find one—but I haven’t searched particularly hard either. We know that cars are used to get people medical care, both proactive and reactive, which saves lives. While I don’t have an official number, it’s inconceivable that it is less than highly significant. I really don’t have time to extrapolate from statistics the number of lives saved by early detection using procedures that are not typically performed at home and that do not typically require an ambulance for transportation. I do not include trips requiring ambulances because they would be considered essential, and therefore allowed.

How about the flu? Of all of the comparisons I have heard, comparing our reaction to COVID-19 to the flu is the closest to rational that I have heard—at least this is comparing fruit to fruit. But it is still deeply flawed to compare the mortality rate of pre-existing seasonal flus to COVID-19. It does not take into account the fact that COVID-19 numbers are significantly reduced because we have taken drastic actions, and even with these actions, we are getting quite close to the number of other flu fatalities per year. It is true that the numbers vary from season to season. Even with extreme measures taken, COVID-19 is proving more lethal in 2020 than influenza has been in many years, and the number is still growing rapidly. There are vaccines for seasonal flus, but not for COVID-19. I haven’t even touched on things like incubation periods, asymptomism (is that a word?), availability of tests, and turnaround time for test results.

Bonus question! Of SARS, MERS, H1N1, and cars, which has caused global shortages of ventilators, N95 respirator masks, and widespread infection of healthcare workers? According to the CDC, 19% of those who are infected by COVID-19 are healthcare professionals.

I need to return to the car-to-COVID-19 response comparison. I’ll throw a bone to those who think it is valid. True story: I have a friend in Belgium, who has a friend, who in turn has a friend, who survived a fatal car accident in Belgium. Precisely one week later, a car ran into mine (in Washington State) because my friend’s friend’s friend was in a collision in Belgium. Really, it happens all of the time. Car accidents in 200+ plus countries can be directly attributed to that one accident, and the body count is climbing.

Shhhhhhh. We don’t want to disillusion the people who believe that the car-to-COVID-19 response comparison is valid.

I am not commenting on when we should or should not lift the quarantine. If you want to discuss that, fine. Just don’t use blatantly stupid and/or disingenuous comparisons to support your arguments. In case it isn’t clear, comparing shutting down the economy until cars are much safer to a temporary quarantine is also disingenuous.

And for the record, I am completely incapable of sarcasm.

I’m Randy Abrams, Independent Security Analyst, and I approve this message.